Common Weakness Enumeration

CWE-87

Allowed

Improper Neutralization of Alternate XSS Syntax

Abstraction: Variant · Status: Draft

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

98 vulnerabilities reference this CWE, most recent first.

GHSA-FG89-G389-P346

Vulnerability from github – Published: 2025-10-16 20:41 – Updated: 2025-10-16 21:54
VLAI
Summary
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
Details

Summary

In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.

Details

The underlying problem is that SVG is XML/markup, so when it is uploaded and then directly rendered or embedded, script or event handlers within are allowed to run unless sanitized. In Bagisto, the integration of TinyMCE’s image upload (or media manager) may accept SVG files without sanitizing or rejecting unsafe content. When the SVG is later included (inline or via object/embed) in content displayed in admin or UI, the browser may execute the script portion of the SVG. The application might not validate the file content (i.e. inspect the SVG XML) or strip , onload, onclick, foreignObject, xlink:href injection, objects/embed tags, etc.

PoC

Navigate to any forms with TinyMCE editor. Attempt to upload a SVG file with embedded JavaScript. image JavaScript was triggered. image

Impact

Malicious script is stored in SVG file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.7"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T20:41:03Z",
    "nvd_published_at": "2025-10-16T19:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user\u2019s browser.\n\n### Details\nThe underlying problem is that SVG is XML/markup, so when it is uploaded and then directly rendered or embedded, script or event handlers within are allowed to run unless sanitized. In Bagisto, the integration of TinyMCE\u2019s image upload (or media manager) may accept SVG files without sanitizing or rejecting unsafe content. When the SVG is later included (inline or via object/embed) in content displayed in admin or UI, the browser may execute the script portion of the SVG. The application might not validate the file content (i.e. inspect the SVG XML) or strip \u003cscript\u003e, onload, onclick, foreignObject, xlink:href injection, objects/embed tags, etc.\n\n### PoC\nNavigate to any forms with TinyMCE editor. Attempt to upload a SVG file with embedded JavaScript.\n\u003cimg width=\"1580\" height=\"795\" alt=\"image\" src=\"https://github.com/user-attachments/assets/17df21a4-bfcd-4c51-a963-68f68241fd2e\" /\u003e\nJavaScript was triggered.\n\u003cimg width=\"1402\" height=\"409\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d0e326c3-6f23-449d-8f90-1e1032818d80\" /\u003e\n\n### Impact\nMalicious script is stored in SVG file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.",
  "id": "GHSA-fg89-g389-p346",
  "modified": "2025-10-16T21:54:49Z",
  "published": "2025-10-16T20:41:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62418"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bagisto/bagisto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)"
}

GHSA-FWX9-J2J6-84W3

Vulnerability from github – Published: 2024-04-03 03:30 – Updated: 2024-04-03 03:30
VLAI
Details

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget Attributes in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-03T03:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget Attributes in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
  "id": "GHSA-fwx9-j2j6-84w3",
  "modified": "2024-04-03T03:30:30Z",
  "published": "2024-04-03T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3162"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3062484"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d54c7623-25af-4bf1-a6e0-9022ec26f391?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G7XQ-XV8C-H98C

Vulnerability from github – Published: 2024-04-17 00:20 – Updated: 2024-04-19 21:44
VLAI
Summary
Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags
Details

Summary

There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data.

Our filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an <a> tag could be bypassed with tab \t or newline \n characters between the characters of the protocol, e.g. java\tscript:.

Impact

If you render an <a> tag with an href attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.

a(href: user_profile) { "Profile" }

Mitigation

The best way to mitigate this vulnerability is to update to one of the following versions:

Workarounds

Configuring a Content Security Policy that does not allow unsafe-inline would effectively prevent this vulnerability from being exploited.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.10.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0"
            },
            {
              "fixed": "1.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-17T00:20:23Z",
    "nvd_published_at": "2024-04-17T16:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThere is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data.\n\nOur filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `\u003ca\u003e` tag could be bypassed with tab `\\t` or newline `\\n` characters between the characters of the protocol, e.g. `java\\tscript:`.\n\n### Impact\n\nIf you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.\n\n```ruby\na(href: user_profile) { \"Profile\" }\n```\n\n### Mitigation\n\nThe best way to mitigate this vulnerability is to update to one of the following versions:\n\n- [1.10.1](https://rubygems.org/gems/phlex/versions/1.10.1)\n- [1.9.2](https://rubygems.org/gems/phlex/versions/1.9.2)\n- [1.8.3](https://rubygems.org/gems/phlex/versions/1.8.3)\n- [1.7.2](https://rubygems.org/gems/phlex/versions/1.7.2)\n- [1.6.3](https://rubygems.org/gems/phlex/versions/1.6.3)\n- [1.5.3](https://rubygems.org/gems/phlex/versions/1.5.3)\n- [1.4.2](https://rubygems.org/gems/phlex/versions/1.4.2)\n\n### Workarounds\nConfiguring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited.",
  "id": "GHSA-g7xq-xv8c-h98c",
  "modified": "2024-04-19T21:44:03Z",
  "published": "2024-04-17T00:20:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phlex-ruby/phlex"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32463.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `\u003ca\u003e` tags"
}

GHSA-GG6X-XX78-448C

Vulnerability from github – Published: 2020-06-03 21:58 – Updated: 2021-03-04 18:26
VLAI
Summary
Reflected XSS when importing CSV in OctoberCMS
Details

Impact

A user with the ability to use the import functionality of the ImportExportController behavior could be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question

Patches

Issue has been patched in Build 466 (v1.0.466).

Workarounds

Apply https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c to your installation manually if unable to upgrade to Build 466.

References

Reported by Sivanesh Ashok

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

Threat assessment:

Screen Shot 2020-03-31 at 2 01 52 PM

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.319"
            },
            {
              "fixed": "1.0.466"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-03T21:26:48Z",
    "nvd_published_at": "2020-06-03T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA user with the ability to use the import functionality of the `ImportExportController` behavior could be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question\n\n### Patches\nIssue has been patched in Build 466 (v1.0.466).\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c to your installation manually if unable to upgrade to Build 466.\n\n### References\nReported by [Sivanesh Ashok](https://stazot.com/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n\u003cimg width=\"1100\" alt=\"Screen Shot 2020-03-31 at 2 01 52 PM\" src=\"https://user-images.githubusercontent.com/7253840/78070158-8f7ef580-7358-11ea-950c-226533f6a0a3.png\"\u003e",
  "id": "GHSA-gg6x-xx78-448c",
  "modified": "2021-03-04T18:26:46Z",
  "published": "2020-06-03T21:58:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5298"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2020/Aug/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reflected XSS when importing CSV in OctoberCMS"
}

GHSA-HMR2-99JM-8X45

Vulnerability from github – Published: 2026-06-09 09:32 – Updated: 2026-06-09 18:30
VLAI
Details

Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer.

This issue affects Apache Answer: through 2.0.0.

AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are recommended to upgrade to version 2.0.1, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-87"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T09:16:28Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 2.0.0.\n\nAI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed.\nUsers are recommended to upgrade to version 2.0.1, which fixes the issue.",
  "id": "GHSA-hmr2-99jm-8x45",
  "modified": "2026-06-09T18:30:36Z",
  "published": "2026-06-09T09:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25688"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/x42joj43rqb38ms5q60f7bgq3qbo7t5q"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/09/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HP5Q-QR77-457V

Vulnerability from github – Published: 2024-10-02 12:30 – Updated: 2024-10-07 21:33
VLAI
Details

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_label’ parameter in all versions up to, and including, 7.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-02T10:15:04Z",
    "severity": "MODERATE"
  },
  "details": "The WordPress Infinite Scroll \u2013 Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018button_label\u2019 parameter in all versions up to, and including, 7.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
  "id": "GHSA-hp5q-qr77-457v",
  "modified": "2024-10-07T21:33:29Z",
  "published": "2024-10-02T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8505"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ajax-load-more/trunk/core/classes/class-alm-shortcode.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3160896"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/ajax-load-more/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca29158a-ca60-46c7-93a5-bcf76e7666e4?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HPJG-HQR4-WGGC

Vulnerability from github – Published: 2023-06-28 15:30 – Updated: 2023-06-28 15:30
VLAI
Details

A vulnerability in the web-based management interface of Cisco Small Business 200 Series Smart Switches, Cisco Small Business 300 Series Managed Switches, and Cisco Small Business 500 Series Stackable Managed Switches could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need to have valid credentials to access the web-based management interface of the affected device. Cisco has not released software updates to address this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-28T15:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco Small Business 200 Series Smart Switches, Cisco Small Business 300 Series Managed Switches, and Cisco Small Business 500 Series Stackable Managed Switches could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need to have valid credentials to access the web-based management interface of the affected device. Cisco has not released software updates to address this vulnerability.",
  "id": "GHSA-hpjg-hqr4-wggc",
  "modified": "2023-06-28T15:30:23Z",
  "published": "2023-06-28T15:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20188"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-sxss-OPYJZUmE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M837-G268-MMV7

Vulnerability from github – Published: 2025-07-25 14:08 – Updated: 2025-07-25 14:08
VLAI
Summary
Node-SAML SAML Authentication Bypass
Details

Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature.

This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username.

To conduct the attack an attacker would need a validly signed document from the identity provider (IdP).

In fixing this we upgraded xml-crypto to v6.1.2 and made sure to process the SAML assertions from only verified/authenticated contents. This will prevent future variants from coming up.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@node-saml/node-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-347",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-25T14:08:50Z",
    "nvd_published_at": "2025-07-24T23:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. \n\nThis allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username.\n\nTo conduct the attack an attacker would need a validly signed document from the identity provider (IdP).\n\nIn fixing this we upgraded xml-crypto to v6.1.2 and made sure to process the SAML assertions from only verified/authenticated contents. This will prevent future variants from coming up.",
  "id": "GHSA-m837-g268-mmv7",
  "modified": "2025-07-25T14:08:50Z",
  "published": "2025-07-25T14:08:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/node-saml/security/advisories/GHSA-m837-g268-mmv7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54369"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/node-saml/node-saml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/node-saml/releases/tag/v5.1.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Node-SAML SAML Authentication Bypass"
}

GHSA-MCRH-QJ64-9C3P

Vulnerability from github – Published: 2026-04-08 03:32 – Updated: 2026-04-08 03:32
VLAI
Details

The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-87"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T02:16:02Z",
    "severity": "MODERATE"
  },
  "details": "The Elementor Website Builder \u2013 More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
  "id": "GHSA-mcrh-qj64-9c3p",
  "modified": "2026-04-08T03:32:14Z",
  "published": "2026-04-08T03:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14732"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/elementor/trunk/modules/wp-rest/classes/elementor-post-meta.php#L67"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=/elementor/tags/3.35.5\u0026new_path=/elementor/tags/3.35.6"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20232d70-72b2-47b7-ac7e-ad07892864ef?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MWXJ-G7FW-7HC8

Vulnerability from github – Published: 2023-06-22 19:59 – Updated: 2023-06-26 16:33
VLAI
Summary
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in restore template
Details

Impact

Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as:

/xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain)

This vulnerability exists since XWiki 9.4-rc-1.

Patches

The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.

Workarounds

It's possible to workaround the vulnerability by editing the template restore.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets.

References

  • Vulnerability in restore template: https://jira.xwiki.org/browse/XWIKI-20352
  • Introduction of the macro used for fixing this vulnerability: https://jira.xwiki.org/browse/XWIKI-20583
  • Commit containing the actual fix in the template: https://github.com/xwiki/xwiki-platform/commit/d5472100606c8355ed44ada273e91df91f682738

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

Both vulnerabilities about the delete and restore templates have been reported by René de Sain @renniepak.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4-rc-1"
            },
            {
              "fixed": "14.10.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0-rc-1"
            },
            {
              "fixed": "15.1-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-35158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-22T19:59:33Z",
    "nvd_published_at": "2023-06-23T19:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nUsers are able to forge an URL with a payload allowing to inject Javascript in the page (XSS).\nIt\u0027s possible to exploit the restore template to perform a XSS, e.g. by using URL such as:\n\n\u003e /xwiki/bin/view/XWiki/Main?xpage=restore\u0026showBatch=true\u0026xredirect=javascript:alert(document.domain)\n\nThis vulnerability exists since XWiki 9.4-rc-1.\n\n### Patches\n\nThe vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. \n\n### Workarounds\n\nIt\u0027s possible to workaround the vulnerability by editing the template restore.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets.\n\n### References\n\n  * Vulnerability in restore template: https://jira.xwiki.org/browse/XWIKI-20352\n  * Introduction of the macro used for fixing this vulnerability: https://jira.xwiki.org/browse/XWIKI-20583\n  * Commit containing the actual fix in the template: https://github.com/xwiki/xwiki-platform/commit/d5472100606c8355ed44ada273e91df91f682738\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nBoth vulnerabilities about the delete and restore templates have been reported by Ren\u00e9 de Sain @renniepak.",
  "id": "GHSA-mwxj-g7fw-7hc8",
  "modified": "2023-06-26T16:33:58Z",
  "published": "2023-06-22T19:59:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mwxj-g7fw-7hc8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35158"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/d5472100606c8355ed44ada273e91df91f682738"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20352"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20583"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in restore template"
}

Mitigation
Implementation

Resolve all input to absolute or canonical representations before processing.

Mitigation
Implementation

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Mitigation MIT-30.1
Implementation

Strategy: Output Encoding

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
Implementation

With Struts, write all data from form beans with the bean's filter attribute set to true.

Mitigation MIT-31
Implementation

Strategy: Attack Surface Reduction

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CAPEC-199: XSS Using Alternate Syntax

An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.